The FCC says it will give ISPs a year—and theoretically even longer—to get their subs' permission (notice and choice) before sharing web browsing and app use histories with third parties for marketing and other purposes.
A divided FCC voted Oct. 27 on the new broadband privacy opt-in regime for sharing web browsing and app info. The order also includes data security and data breach notification rules, as well as a prohibition on making info sharing a quid pro quo for service and a case-by-case look at offering incentives to share info.
The commission released the 200-plus page order on broadband privacy Thursday, which makes clear the FCC sees ISPs as gatekeeping bottlenecks with data access beyond that of the edge providers the FCC declines to regulate but also recognizes they will need time to institute a new regulatory regime based on that assumption.
The order says ISPs won't have to implement that new opt-in notice and choice regime for that and other sensitive information for at least a year after the order is published in the Federal Register, which should be in the next couple of weeks.
“Carriers will need to analyze the new, harmonized privacy rules as well as coordinate with various business segments and vendors, and update programs and policies,” the FCC said. “Carriers will also need to engage in consumer outreach and education. These implementation steps will take time and we find, as supported in the record, that twelve months after publication of the Order in the Federal Register is an adequate minimum implementation period to implement the new notice and approval rules.”
Actually, it could be even longer, since the language says either 12 months or eight weeks after the announcement of Office of Management and Budget approval of the new paperwork obligations associated with the rules, whichever is later.
The data breach notification rules will be effective “the later of (1) PRA approval, or (2) six months after the Commission publishes a summary of the Order in the Federal Register”; data security rules “90 days after publication of a summary of the Order in the Federal Register”; and prohibitions on conditioning service on sharing personal info “30 days after publication of a summary of this Order in the Federal Register.”
The FCC said in the order that it had received over 250,000 comments on the proceeding and that it had "listened and learned" from the record.
But one thing chairman Tom Wheeler's FCC has remained consistent on is its view of ISPs.
"A number of broadband providers, their associations, as well as some other commenters argue that because broadband providers are part of a larger online eco-system that includes edge providers, they should not be subject to a different set of regulations," the order said. "These arguments ignore the particular role of network providers and the context of the consumer/BIAS [broadband Internet access service] provider relationship, and the sector-specific privacy statute that governs the use and sharing of information by providers of telecommunications services. Based on our review of the record, we reaffirm our earlier finding that a broadband provider 'sits at a privileged place in the network, the bottleneck between the customer and the rest of the Internet'—a position that we have referred to as a gatekeeper. As such, BIAS providers can collect 'an unprecedented breadth' of electronic personal information."
The order said that "without appropriate privacy protections, use or disclosure of information that our broadband providers collect about us would be at odds with our privacy interests."
The order uses the "first person plural" to associate its authors with all that personal information. "Broadband providers provide the 'on ramp' to the Internet. These providers therefore have access to vast amounts of information about their customers including when we are online, where we are physically located when we are online, how long we stay online, what devices we use to access the Internet, what websites we visit, and what applications we use."
ISPs were hoping the FCC would take a page from the Federal Trade Commission, which did not make web browsing and app use history opt in when it had authority over ISP privacy—the FCC inherited that authority when it reclassified ISPs as common carriers—and does not require it of the edge providers—Google, Facebook—whose online privacy practices it still oversees.
The FCC says its new rules focus on transparency, choice and data security and on harmonizing the broadband rules with phone privacy rules—now that ISPs and other telecoms are in the same Title II common carrier regulatory silo.
The FCC will also preempt state privacy, data security and data breach laws that conflict with its new rules.